VPN – What does it really do?

If you’re like a lot of people, you’ve probably noticed that Netflix in Canada is kind of sucky relative to Netflix in the USA. Or perhaps you’ve hit a video link on some web site only to be told that the content is not available in your country. Geography-based content rules are *REALLY* annoying… doubly so because what they are is a flagrant money-grab by entertainment industry middlemen – an attempt to screw people for more money based on their geographic location.

But… you’ve probably seen advertisements about a technology to help you get around this problem: The Virtual Private Network, or VPN. This short essay will tell you the truth about VPN, and you can decide for yourself if it’s something you want to spend money on.

What is a VPN?

As noted above, VPN stands for “virtual private network”. Basically what a VPN does is extend someone else’s network onto your computer, making you a part of their network rather than being a part of your home / local network (yes, there are nuances, I’ll get to that). Whether you’re using that Cisco client to work from home with your company, or paying a service to watch US Netflix via VPN, the technology is the same: you activate a client of some sort and become part of a remote network. Usually there is good encryption involved so the data traffic between your computer and the VPN gateway is protected against interception.

Why would I want a VPN?

There are two primary reasons to use a VPN. In the “work from home” situation, the VPN allows you to connect a work computer onto an arbitrary network (like your home network, or the wifi at a cafe), and then use an encrypted connection to join your work/corporate network as if you were on site at your desk. The encryption and authentication methods used allow you to connect securely and do your work in a manner that protects the corporations data. This is the technology that allows people to work anywhere there is internet access.

The other reason is that when you use a VPN, you are given a new internet address – one that looks like it originates somewhere that you are not, be it across town, across the country, or across the planet. When you connect to a VPN server, you join someone else’s network. For all intents and purposes, your computer appears to be wherever that VPN server is located (or appears to be, since it could also be connected to a VPN). This use allows you to fool geographic blocking and restrictions (sort of – more on that later). This is the technology that allows someone to, say, set up a US Netflix account and watch it from Lower Slobovia.

That’s awesome, isn’t it?

Yes and no. Here’s the truth of it…

Protecting your information? Sort of…

VPN providers often advertise how their technology allows you to protect your private information in transit over the internet. Certainly, within the VPN tunnel, a properly set up VPN will have good encryption and protect any information you send into that tunnel. However, and it’s a big however, that tunnel ends at the VPN server somewhere. It is decrypted there and put on the network owned by the VPN host. See that dotted green line in the image above? That’s your DECRYPTED traffic heading into the internet to the location you’re seeking.

If that’s your work network, fine. It’s your company and you only do company stuff anyway.

If that’s some random VPN company, your traffic is now on their network and visible to their administrators to the very same extent that it’s visible to your ISP’s administrators if you’re not using a VPN.

Furthermore, when you hit a non-encrypted web site (i.e. not an HTTPS:// link) your information is in the clear from the VPN server to that site and back to the VPN server. Yes, it is encrypted from the VPN server to your computer, but in reality it’s no more protected than if you didn’t have the VPN and went to that site directly from your computer.

In a practical sense, a VPN offers no realistic protection to your internet surfing, except against your internet service provider, who can only see you going to a VPN service.

Also, if you end up with a key logger or other malware on your computer that transmits data to remote sites, VPN absolutely will not protect you from that kind of exposure.

Hiding my surfing habits? Sort of…

While your ISP may not be able to easily divine your surfing habits beyond “uses a VPN”, the VPN provider certainly can. Whether you’re trying to VPN through work to a porn site, or VPN on a commercial service to a porn site, there are plenty of system admins who can confirm that your computer is accessing porn. In this way, it’s LESS secure than just surfing the porn directly (where only your ISP can see your destination) because the VPN server admins can see it, as can their ISP admins.

I need to be sure this is absolutely clear to everyone reading: A VPN only protects the traffic between your computer and the VPN server; if you access internet sites, they are no more protected by your VPN than if you went there without the VPN.

Hiding my location? Sort of…

When you use a VPN, your internet access appears, to the rest of the internet, to originate wherever the internet thinks the VPN server is. This may be beneficial in some situations. You can, for example, use a VPN service that has servers in the USA to fool Netflix into letting you watch USA-only content. This really will work.

For a while.

You see, content control Nazis have a lot of time and resources on their hands. VPN services are relatively few in number and fairly easy to locate. Once located they can be blocked just as easily. Many content providers (like Netflix) engage in this kind of defensive activity.

Also, and this is *very* important, remember that the geographic location of the VPN server might be in a different legal jurisdiction. Different jurisdictions have different laws. Here’s a few that are interesting and relevant:

In the USA, any US company can be compelled to provide encryption keys and access to customer data and traffic as part of the laws around Homeland Security. If you’re using a US VPN service, the US government can spy on your traffic if they are so inclined.

In India, France, and many other countries, businesses offering encryption services (like VPN) may be required to provide access to government officials as a matter of course, or be required to use known weak encryption to facilitate government surveillance.

So you’re saying I shouldn’t bother?

No. I’m saying you should think about what you’re requirements are.

If you desperately need US Netflix, then, by all means, subscribe to some US VPN service and take your chances. Presumably they’re aware of Netflix blocking and deal with that as part of their service. Hey, it’s your money.

If you want remote access to your home network, a VPN is a great way to do it (I have this, it’s awesome). Obviously, you’d need the equipment and know-how to set this up at home.

If you want your employees to have remote access to your corporate network, VPN is the solution. Obviously, you’d need the equipment and know-how to set this up at work.

However, if you think VPN is going to hide your senior citizen midget pr0n habit from everyone, or protect you from the latest brainchild of the NSA or other government agency, think again… because if you don’t control both ends of the VPN tunnel, your traffic can always be spied on by somebody.

And if you think VPN offers protections against the shortcomings of other internet sites (like sites that take personal information but don’t use HTTPS) then you’re just out of luck, and the people advertising this type of protection are just plain lying… or worse, they actually don’t know better which makes them incompetent.

But I use TOR!

Hahahahaha. Yeah. Because TOR has totally never been infiltrated by the FBI and all manner of law enforcement, spies, and criminals.